Hackaday has a long-running series on Mining and Refining, that tracks elements of interest on the human-made road from rocks to riches. What author Dan Maloney doesn’t address in that series is the natural history that comes before the mine. You can’t just plunk down a copper mine or start squeezing oil from any old stone, after all: first, you need ore. Ore has to come from somewhere. In this series, we’re going to get down and dirty into the geology of ore-forming processes to find out from wither come the rocks that hold our elements of interest.

What’s In an Ore?

Though we’re going to be talking about Planetary Science in this series, we should recognize the irony that “ore” is a word without any real scientific meaning. What distinguishes ore from other rock is its utility to human industry: it has elements or compounds, like gems, that we want, and that we think we can get out economically. That changes over time, and one generation’s “rock” can be another generation’s “ore deposits”. For example, these days prospectors are chasing copper in porphyry deposits at concentrations as low as 1000 ppm (0.1%) that simply were not economic in previous decades. The difference? Improvements in mining and refining, as well as a rise in the price of copper.
This may or may not be the fabled “mile of gold”. Image: “Main Street Kirkland Lake” by P199.
There’s a story everyone tells in my region, about a street in Kirkland Lake, Ontario that had been paved using waste rock from one of the local gold mines and then torn up when the price of gold rose enough to reprocess the pavement a part-per-million of microscopic flakes of yellow metal. That story is apocryphal: history records that there was mine product accidentally used in road works, but it does not seem it has ever been deemed economic to dig it back up. (Or if it was, there’s no written record of it I could find.)

It is established fact that they did drain and reprocess 20th century tailings ponds from Kirkland Lake’s gold mines, however. Tailings are, by definition, what you leave behind when concentrating the ore. How did the tailings become ore? When somebody wanted to process them, because it had become economic to do so.

It’s similar across the board. “Aluminum ore” was a meaningless phrase until the 1860s; before that, Aluminum was a curiosity of a metal extracted in laboratories. Even now, the concentration of aluminum in its main ore, Bauxite, is lower than some aluminum silicate rocks– but we can’t get aluminum out of silicate rock economically. Bauxite, we can. Bauxite, thus, is the ore, and concentration be damned.

So, there are two things needed for a rock to be an ore: an element must be concentrated to a high enough level, and it be in a form that we can extract it economically. No wonder, then, that almost all of the planet’s crust doesn’t meet the criteria– and that that will hold on every rocky body in the solar system.

Blame Archimedes

It’s not the planetary crusts’ fault; blame instead Archimedes and Sir Issac Newton. Rocky crusts, you see, are much depleted in metals because of those two– or, rather, the physical laws they are associated with. To understand, we have to go back, way back, to the formation of the solar system.
It might be metal, but there’s no ore in the core. Image: nau.edu, CC3.0
There’s a primitive elemental abundance in the solid bodies that first coalesced out of the protoplanetary disk around a young Sol and our crust is depleted in metals compared to it. The reason is simple: as unaltered bodies accreted to form larger objects, the collisions released a great deal of energy, causing the future planetoid to melt, and stay molten. Heat rejection isn’t easy in the thermos vacuum of space, after all. Something planetoid sized could stay molten long enough for gravity to start acting on its constituent elements.

Like a very slow centrifuge, the heavier elements sunk and the lighter ones rose by Archimedes principle. That’s where almost all of Earth’s metals are to this day: in the core. Even the Moon has an iron core thanks to this process of differentiation.

In some ways, you can consider this the first ore-forming process, though geologists don’t yet count planetary differentiation on their lists of such. If we ever start to mine the nickel-iron asteroids, they’ll have to change their tune, though: those metallic space-rocks are fragments of the core of destroyed planetoids, concentrated chunks of metal created by differentiation. That’s also where most of the metal in the Earth’s crust and upper mantle is supposed to have come from, during the Late Heavy Bombardment.

Thank the LHB

Image: “Comet Crash” by Ben Crowder. Repeat 10000x.
The Late Heavy Bombardment is exactly what it sounds like: a period in the history of this solar system 3.8 to 4.1 billion years ago that saw an uncommonly elevated number of impacts on inner solar system objects like the Earth, Moon, and Mars. Most of our evidence for this event comes from the Moon, in the form of isotopic dating of lunar rocks brought back by the Apollo missions, but the topography of Mars and what little geologic record we have on Earth are consistent with the theory. Not all of these impactors were differentiated: many are likely to have been comets, but those still had the primordial abundance of metals. Even cometary impacts, then, would have served to enrich the planet’s crust and upper mantle in metals.

Is that the story, then? Metal ores on Earth are the remnants of the Late Heavy Bombardment? In a word: No. Yes, those impacts probably brought metals back to the lithosphere of this planet, but there are very few rocks of that age left on the surface of this planet, and none of them are ore-bearing. There has been a lot of geology since the LHB– not just on Earth, but on other worlds like the Moon and Mars, too. Just like the ore bodies here on Earth, any ore we find elsewhere is likely to be from other processes.
It looks impressive, but don’t start digging just yet. (Image: Stromboli Eruption by Petr Novak)
One thing that seems nearly universal on rocky bodies is volcanism, and the so-called magmatic ore-forming processes are among the easiest to understand, so we’ll start there.

Igneous rocks are rocks formed of magma — or lava, if it cools on surface. Since all the good stuff is down below, and there are slow convection currents in the Earth’s mantle, it stands to reason some material might make its way up. Yet no one is mining the lava fields of Hawaii or Iceland– it’s not just a matter of magma = metals. Usually some geochemical processes has to happen to that magma in order to enrich it, and those are the magmatic ore forming processes, with one exception.

Magmatic Ore Formation: Kimberlite Pipes

Cross-sectional diagram of a kimberlite deposit. You can see why it’s called a pipe. The eruption would be quite explosive. (Image: Kansas Geological Survey)
Kimberlite pipes are formations of ultramaphic (very high in Magnesium) rock that explode upwards from the mantle, creating vertical, carrot-shaped pipes. The olivine that is the main rock type in these pipes isn’t a desirable magnesium ore because it’s too hard to refine.

What’s interesting economically is what is often brought to surface in these pipes: diamonds, and occasionally gold. Diamonds can only form under the intense pressures beneath the Earth’s crust, so the volcanic process that created kimberlite pipes are our main source of them. (Though not all pipes contain diamonds, as many a prospector has discovered to their disappointment.)

The kimberlite pipes seem to differ from ordinary vulcanism both due to the composition of the rock — ultramaphic rocks from relatively deep in the mantle — and the speed of that rock’s ascent at up to 400 m/s. Diamonds aren’t stable in magma at low pressures, so the magma that makes up a kimberlite pipe must erupt very quickly (in geologic terms) from the depths. The hypothesis is that these are a form of mantle plume.

A different mantle plume is believed to drive volcanism in Hawaii, but that plume expresses itself as steady stream and contains no diamonds. Hawaii’s lava creates basalt, less magnesium-rich rocks than olivine, and come from a shallower strata of the Earth’s mantle. Geochemically, the rocks in Hawaii are very similar to the oceanic crust that the mantle plume is pushing through. Kimberlite pipes, on the other hand, have only been found in ancient continental crusts, though no one seems entirely sure why.
You bet your Tanpi that Mars has had mantle plumes! (Image: NASA)
The great shield volcanoes on Mars show that mantle plumes have occurred on that planet, and there’s no reason to suppose kimberlite-type eruptions could not have occurred there as well. While some of the diamond-creating carbon in the Earth’s mantle comes from subducted carbonate rocks, some of it seems to be primordial to the mantle.

It is thus not unreasonable to suppose that there may be some small diamond deposits on Mars, if anyone ever goes to look. Venus, too, though it’s doubtful anyone will ever go digging to check. The moon, on the other hand, lacks the pressure gradients required for diamond formation even if it does have vulcanism. What the moon likely does posses (along with the three terrestrial planets) is another type of ore body: layered igneous intrusions.

A Delicious Cake of Rock

Chromite layers in the Bushveld Igneous Complex. Image: Kevin Walsh.
Layered igneous intrusions are, as the name suggests, layered. They aren’t always associated with ore bodies, but when they are, they’re big names like Stillwater (USA) and Bushveld (South Africa). The principle of ore formation is pretty simple: magma in underground chambers undergoes a slow cooling that causes it to fractionate into layers of similar minerals.

Fractional crystallization also has its role to play in concentrating minerals: as the melt cools, it’s natural that some compounds will have higher melting points and freeze out first. These crystals may sink to the bottom of the melt chamber or float to the top, depending on their density relative to the surrounding lava. Like the process of differentiation writ in miniature, heavy minerals sink to the bottom and light ones float to the top, concentrating minerals by density and creating the eponymous layers. Multiple flows of lava can create layers upon layers upon layers of the same, or similar, stacks of minerals.

There’s really no reason to suspect that this ore formation process should not be possible on any terrestrial planet: all one needs is a rich magma and slow cooling. Layered igneous intrusions are a major source of chromium, mainly in the form of Chromatite, an iron-chromium-oxide, but also economically important sources of iron, nickel, copper and platinum group elements (PGEs) amongst other metals. If nickel, copper, or PGEs are present in this kind of deposit, if they’re going to be economically extractable, it will be in the form of a sulfide. So-called sulfide melt deposits can coexist within layered igneous intrusions (as at Bushveld, where they produce a notable fraction of the world’s nickel) or as stand-alone deposits.

When Magma Met Sulfur

One of the problems with igneous rocks from a miner’s perspective is that they’re too chemically stable. Take olivine: it’s chock full of magnesium you cannot extract. If you want an an easily-refined ore, rarely do you look at silicate rock first. Igneous rocks, though, even when ultramafic like in Kimberlite pipes or layered melt deposits, are still silicates.

There’s an easy way to get ore from a magma: just add sulfur. Sulfur pulls metals out of the melt to create sulfide minerals, which are both very concentrated sources of metals and, equally importantly, very easy to refine. Sulfide melt deposits are some of the most economically important ones on this planet, and there’s no reason to think we couldn’t find them elsewhere. (The moon isn’t terribly depleted in sulfur.)
The Bear Stream Quarry is one of many Ni/Cu mines created by the Siberian Traps. (Image: Nikolay Zhukov, CC3.0)
Have you heard of the Siberian Traps? That was a series of volcanoes that produced a flood basalt, like the lunar mare. The volcanoes of the Siberian Traps were a primary cause of the End-Perimian mass extinction, and they put out somewhere between two and four million cubic kilometers of rock. Most of that rock is worthless basalt Most, except in Norilsk.

The difference? In Norilsk, there was enough sulfur in the melt, thanks to existing sedimentary rocks, to pull metals out of the melt. 250 million years after it cooled, this became Eurasia’s greatest source of Nickel and Platinum Group Elements, with tonnes and tonnes of copper brought to surface as a bonus.

Norilk’s great rival in the Cold War was Sudbury, Canada– another sulfide melt deposit, this one believed to be associated with the meteorite impact that created the Sudbury Basin. The titanic impact that created the basin also melted a great deal of rock, and as it cooled, terrestrial sulfur combined with metals that had existed in the base rock, and any brought down in the impactor, to freeze out of the melt as sulfides.
Most mining still ongoing in the Sudbury Basin is deep underground, like at Nickel Rim South Mine. (Image: P199.)
While some have called Sudbury “humanity’s first asteroid mine”, it’s a combination of sulfur and magma that created the ore body; there is little evidence to suggest the impactor was itself a nickel-iron asteroid. Once the source of the vast majority of the world’s nickel, peaking at over 80% before WWI, Sudbury remains the largest hard-rock mining centre in North America, and one of the largest in the world, on the weight of all that sulfide.

Since the Moon does not seem to be terribly depleted in sulfur, and has more flood basalt and impact craters than you can shake a stick at, it’s a fairly safe bet that if anyone ever tries to mine metals on Luna, they will be sulfide melt deposits. There’s no reason not to expect Mars to posses its fair share as well.

hackaday.com/2025/08/13/ore-fo…

Trend Micro ha rilevato un attacco mirato ai settori governativo e aeronautico in Medio Oriente, utilizzando un nuovo ransomware chiamato Charon. Gli aggressori hanno utilizzato una complessa catena di infezione con funzionalità di sideload di DLL, iniezione di processi e bypass EDR, tipiche delle operazioni APT avanzate che dei normali ransomware.

Il vettore di attacco inizia con l’avvio di un file Edge.exe legittimo (in precedenza cookie_exporter.exe), che viene utilizzato per caricare una libreria msedge.dll dannosa, denominata SWORDLDR. Quest’ultima decifra lo shellcode crittografato dal file DumpStack.log e inietta il payload, ovvero Charon stesso, nel processo svchost.exe, mascherando l’attività come un servizio di sistema Windows.

Dopo aver decifrato tutti i livelli di mascheramento, gli esperti hanno confermato che l’eseguibile finale crittografa i dati e lascia un segno distintivo di infezione – “hCharon è entrato nel mondo reale!” – alla fine di ogni file crittografato. Tutti i file crittografati ricevono l’estensione .Charon e nelle directory compare una richiesta di riscatto – How To Restore Your Files.txt – che menziona una vittima specifica, confermando la natura mirata dell’attacco.

Charon supporta una varietà di opzioni da riga di comando, dalla specifica dei percorsi di crittografia alla definizione delle priorità delle risorse di rete. All’avvio, crea un mutex chiamato OopsCharonHere, termina i processi di protezione, disabilita i servizi di sicurezza, elimina le copie shadow e svuota il Cestino. Quindi procede alla crittografia in un thread multi-thread, evitando i file di sistema (.exe, .dll), così come i propri componenti e la richiesta di riscatto.

Per la crittografia viene utilizzato uno schema ibrido: Curve25519 per lo scambio di chiavi e ChaCha20 per la crittografia dei dati. Ogni file viene fornito con un footer di 72 byte contenente la chiave pubblica e i metadati della vittima, che consente la decrittografia dei dati se la chiave privata è disponibile.

Inoltre, Charon ha capacità di movimento laterale: esegue la scansione della rete utilizzando NetShareEnum e WNetEnumResource, crittografa le condivisioni accessibili e funziona anche con percorsi UNC, bypassando solo ADMIN$ per ridurre le possibilità di essere rilevato.

Il binario contiene anche, sebbene inattivo, un componente basato sul driver del progetto open source Dark-Kill, progettato per disabilitare le soluzioni EDR . Dovrebbe essere installato come servizio WWC, ma non è utilizzato nella versione attuale: probabilmente la funzione non è ancora abilitata ed è in fase di preparazione per future iterazioni.

Sebbene l’uso di strumenti simili a quelli del gruppo cinese Earth Baxia sia sospetto, non ci sono prove conclusive del loro coinvolgimento: forse stanno prendendo in prestito tattiche o sviluppando in modo indipendente gli stessi concetti.

L’emergere di Charon è un’ulteriore prova del fatto che il ransomware sta adottando attivamente sofisticati metodi APT. La combinazione di tecniche di evasione avanzate con danni aziendali diretti sotto forma di perdita di dati e tempi di inattività aumenta i rischi e richiede alle organizzazioni di rivedere la propria strategia di difesa.

L'articolo Arriva Charon Ransomware. Supera EDR, è Stealh e strizza l’occhio ai migliori APT proviene da il blog della sicurezza informatica.

It’s hard to overstate the impact desktop 3D printing has had on the making and hacking scene. It drastically lowered the barrier for many to create their own projects, and much of the prototyping and distribution of parts and tools that we see today simply wouldn’t be possible via traditional means.

What might not be obvious to those new to the game is that much of what we take for granted today in the 3D printing world has its origins in open source hardware (OSHW). Unfortunately, [Josef Prusa] has reason to believe that this aspect of desktop 3D printing is dead.

If you’ve been following 3D printing for awhile, you’ll know how quickly the industry and the hobby have evolved. Just a few years ago, the choice was between spending the better part of $1,000 USD on a printer with all the bells and whistles, or taking your chances with a stripped-down clone for half the price. But today, you can get a machine capable of self calibration and multi-color prints for what used to be entry-level prices. According to [Josef] however, there’s a hidden cost to consider.

(Data from Espacenet International Database by European Patent Organization, March 2025) – Major Point made by Prusa on the number of patents from certain large-name companies
From major development comes major incentives. In 3D printing’s case, we can see the Chinese market dominance. Printers can be sold for a loss, and patents are filed when you can rely on government reimbursements, all help create the market majority we see today. Despite continuing to improve their printers, these advantages have made it difficult for companies such as Prusa Research to remain competitive.

That [Josef] has become disillusioned with open source hardware is unfortunately not news to us. Prusa’s CORE One, as impressive as it is, marked a clear turning point in how the company released their designs. Still, [Prusa]’s claims are not unfounded. Many similar issues have arisen in 3D printing before. One major innovation was even falsely patented twice, slowing adoption of “brick layering” 3D prints.

Nevertheless, no amount of patent trolling or market dominance is going to stop hackers from hacking. So while the companies that are selling 3D printers might not be able to offer them as OSHW, we feel confident the community will continue to embrace the open source principles that helped 3D printing become as big as it is today.

Thanks to [JohnU] for the tip.

hackaday.com/2025/08/13/josef-…

Mark Solotroff, figura cardine della scena noise-industrial e power electronics americana (fondatore di Intrinsic Action, Anatomy Of Habit, BLOODYMINDED), torna quest'anno con In Search of Total Placelessness
#musica

iyezine.com/mark-solotroff-in-…

@Musica Agorà

Mark Solotroff - In Search of Total Placelessness - In Your Eyes ezine

Mark Solotroff, figura cardine della scena noise-industrial e power electronics americana (fondatore di Intrinsic Action, Anatomy Of Habit, BLOODYMINDED), torna quest'anno con In Search of Total Placelessness

^{NoiseGang (In Your Eyes ezine)}

The Unknowns "Looking from the outside": un'esperienza punk che scuote e incendia! Scopri il terzo album della band australiana che spacca!

iyezine.com/the-unknowns-looki…

#musica @Musica Agorà

The Unknowns - Looking from the outside - In Your Eyes ezine

The Unknowns "Looking from the outside": un'esperienza punk che scuote e incendia! Scopri il terzo album della band australiana che spacca!

^{Reverend Shit-Man (In Your Eyes ezine)}

Introduction

Phishing and scams are dynamic types of online fraud that primarily target individuals, with cybercriminals constantly adapting their tactics to deceive people. Scammers invent new methods and improve old ones, adjusting them to fit current news, trends, and major world events: anything to lure in their next victim.

Since our last publication on phishing tactics, there has been a significant leap in the evolution of these threats. While many of the tools we previously described are still relevant, new techniques have emerged, and the goals and methods of these attacks have shifted.

In this article, we will explore:

• The impact of AI on phishing and scams
• How the tools used by cybercriminals have changed
• The role of messaging apps in spreading threats
• Types of data that are now a priority for scammers

AI tools leveraged to create scam content

Text

Traditional phishing emails, instant messages, and fake websites often contain grammatical and factual errors, incorrect names and addresses, and formatting issues. Now, however, cybercriminals are increasingly turning to neural networks for help.

They use these tools to create highly convincing messages that closely resemble legitimate ones. Victims are more likely to trust these messages, and therefore, more inclined to click a phishing link, open a malicious attachment, or download an infected file.

Example of a phishing email created with DeepSeek

The same is true for personal messages. Social networks are full of AI bots that can maintain conversations just like real people. While these bots can be created for legitimate purposes, they are often used by scammers who impersonate human users. In particular, phishing and scam bots are common in the online dating world. Scammers can run many conversations at once, maintaining the illusion of sincere interest and emotional connection. Their primary goal is to extract money from victims by persuading them to pursue “viable investment opportunities” that often involve cryptocurrency. This scam is known as pig butchering. AI bots are not limited to text communication, either; to be more convincing, they also generate plausible audio messages and visual imagery during video calls.

Deepfakes and AI-generated voices

As mentioned above, attackers are actively using AI capabilities like voice cloning and realistic video generation to create convincing audiovisual content that can deceive victims.

Beyond targeted attacks that mimic the voices and images of friends or colleagues, deepfake technology is now being used in more classic, large-scale scams, such as fake giveaways from celebrities. For example, YouTube users have encountered Shorts where famous actors, influencers, or public figures seemingly promise expensive prizes like MacBooks, iPhones, or large sums of money.

Deepfake YouTube Short

The advancement of AI technology for creating deepfakes is blurring the lines between reality and deception. Voice and visual forgeries can be nearly indistinguishable from authentic messages, as traditional cues used to spot fraud disappear.

Recently, automated calls have become widespread. Scammers use AI-generated voices and number spoofing to impersonate bank security services. During these calls, they claim there has been an unauthorized attempt to access the victim’s bank account. Under the guise of “protecting funds”, they demand a one-time SMS code. This is actually a 2FA code for logging into the victim’s account or authorizing a fraudulent transaction.
media.kasperskycontenthub.com/…Example of an OTP (one-time password) bot call

Data harvesting and analysis

Large language models like ChatGPT are well-known for their ability to not only write grammatically correct text in various languages but also to quickly analyze open-source data from media outlets, corporate websites, and social media. Threat actors are actively using specialized AI-powered OSINT tools to collect and process this information.

The data so harvested enables them to launch phishing attacks that are highly tailored to a specific victim or a group of victims – for example, members of a particular social media community. Common scenarios include:

• Personalized emails or instant messages from what appear to be HR staff or company leadership. These communications contain specific details about internal organizational processes.
• Spoofed calls, including video chats, from close contacts. The calls leverage personal information that the victim would assume could not be known to an outsider.

This level of personalization dramatically increases the effectiveness of social engineering, making it difficult for even tech-savvy users to spot these targeted scams.

Phishing websites

Phishers are now using AI to generate fake websites too. Cybercriminals have weaponized AI-powered website builders that can automatically copy the design of legitimate websites, generate responsive interfaces, and create sign-in forms.

Some of these sites are well-made clones nearly indistinguishable from the real ones. Others are generic templates used in large-scale campaigns, without much effort to mimic the original.

Phishing pages mimicking travel and tourism websites

Often, these generic sites collect any data a user enters and are not even checked by a human before being used in an attack. The following are examples of sites with sign-in forms that do not match the original interfaces at all. These are not even “clones” in the traditional sense, as some of the brands being targeted do not offer sign-in pages.

These types of attacks lower the barrier to entry for cybercriminals and make large-scale phishing campaigns even more widespread.

Login forms on fraudulent websites

Telegram scams

With its massive popularity, open API, and support for crypto payments, Telegram has become a go-to platform for cybercriminals. This messaging app is now both a breeding ground for spreading threats and a target in itself. Once they get their hands on a Telegram account, scammers can either leverage it to launch attacks on other users or sell it on the dark web.

Malicious bots

Scammers are increasingly using Telegram bots, not just for creating phishing websites but also as an alternative or complement to these. For example, a website might be used to redirect a victim to a bot, which then collects the data the scammers need. Here are some common schemes that use bots:

• Crypto investment scams: fake token airdrops that require a mandatory deposit for KYC verification

Telegram bot seemingly giving away SHIBARMY tokens

• Phishing and data collection: scammers impersonate official postal service to get a user’s details under the pretense of arranging delivery for a business package.

Phishing site redirects the user to an “official” bot.

• Easy money scams: users are offered money to watch short videos.

Phishing site promises easy earnings through a Telegram bot.

Unlike a phishing website that the user can simply close and forget about when faced with a request for too much data or a commission payment, a malicious bot can be much more persistent. If the victim has interacted with a bot and has not blocked it, the bot can continue to send various messages. These might include suspicious links leading to fraudulent or advertising pages, or requests to be granted admin access to groups or channels. The latter is often framed as being necessary to “activate advanced features”. If the user gives the bot these permissions, it can then spam all the members of these groups or channels.

Account theft

When it comes to stealing Telegram user accounts, social engineering is the most common tactic. Attackers use various tricks and ploys, often tailored to the current season, events, trends, or the age of their target demographic. The goal is always the same: to trick victims into clicking a link and entering the verification code.

Links to phishing pages can be sent in private messages or posted to group chats or compromised channels. Given the scale of these attacks and users’ growing awareness of scams within the messaging app, attackers now often disguise these phishing links using Telegram’s message-editing tools.

This link in this phishing message does not lead to the URL shown

New ways to evade detection

Integrating with legitimate services

Scammers are actively abusing trusted platforms to keep their phishing resources under the radar for as long as possible.

• Telegraph is a Telegram-operated service that lets anyone publish long-form content without prior registration. Cybercriminals take advantage of this feature to redirect users to phishing pages.

Phishing page on the telegra.ph domain

• Google Translate is a machine translation tool from Google that can translate entire web pages and generate links like https://site-to-translate-com.translate.goog/… Attackers exploit it to hide their assets from security vendors. They create phishing pages, translate them, and then send out the links to the localized pages. This allows them to both avoid blocking and use a subdomain at the beginning of the link that mimics a legitimate organization’s domain name, which can trick users.

Localized phishing page

• CAPTCHA protects websites from bots. Lately, attackers have been increasingly adding CAPTCHAs to their fraudulent sites to avoid being flagged by anti-phishing solutions and evade blocking. Since many legitimate websites also use various types of CAPTCHAs, phishing sites cannot be identified by their use of CAPTCHA technology alone.

CAPTCHA on a phishing site

Blob URL

Blob URLs (blob:example.com/…) are temporary links generated by browsers to access binary data, such as images and HTML code, locally. They are limited to the current session. While this technology was originally created for legitimate purposes, such as previewing files a user is uploading to a site, cybercriminals are actively using it to hide phishing attacks.

Blob URLs are created with JavaScript. The links start with “blob:” and contain the domain of the website that hosts the script. The data is stored locally in the victim’s browser, not on the attacker’s server.

Blob URL generation script inside a phishing kit

Hunting for new data

Cybercriminals are shifting their focus from stealing usernames and passwords to obtaining irrevocable or immutable identity data, such as biometrics, digital signatures, handwritten signatures, and voiceprints.

For example, a phishing site that asks for camera access supposedly to verify an account on an online classifieds service allows scammers to collect your biometric data.

Phishing for biometrics

For corporate targets, e-signatures are a major focus for attackers. Losing control of these can cause significant reputational and financial damage to a company. This is why services like DocuSign have become a prime target for spear-phishing attacks.

Phishers targeting DocuSign accounts

Even old-school handwritten signatures are still a hot commodity for modern cybercriminals, as they remain critical for legal and financial transactions.

Phishing for handwritten signatures

These types of attacks often go hand-in-hand with attempts to gain access to e-government, banking and corporate accounts that use this data for authentication.

These accounts are typically protected by two-factor authentication, with a one-time password (OTP) sent in a text message or a push notification. The most common way to get an OTP is by tricking users into entering it on a fake sign-in page or by asking for it over the phone.

Attackers know users are now more aware of phishing threats, so they have started to offer “protection” or “help for victims” as a new social engineering technique. For example, a scammer might send a victim a fake text message with a meaningless code. Then, using a believable pretext – like a delivery person dropping off flowers or a package – they trick the victim into sharing that code. Since the message sender indeed looks like a delivery service or a florist, the story may sound convincing. Then a second attacker, posing as a government official, calls the victim with an urgent message, telling them they have just been targeted by a tricky phishing attack. They use threats and intimidation to coerce the victim into revealing a real, legitimate OTP from the service the cybercriminals are actually after.

Fake delivery codes

Takeaways

Phishing and scams are evolving at a rapid pace, fueled by AI and other new technology. As users grow increasingly aware of traditional scams, cybercriminals change their tactics and develop more sophisticated schemes. Whereas they once relied on fake emails and websites, today, scammers use deepfakes, voice cloning and multi-stage tactics to steal biometric data and personal information.
Here are the key trends we are seeing:

• Personalized attacks: AI analyzes social media and corporate data to stage highly convincing phishing attempts.
• Usage of legitimate services: scammers are misusing trusted platforms like Google Translate and Telegraph to bypass security filters.
• Theft of immutable data: biometrics, signatures, and voiceprints are becoming highly sought-after targets.
• More sophisticated methods of circumventing 2FA: cybercriminals are using complex, multi-stage social engineering attacks.

How do you protect yourself?

• Critically evaluate any unexpected calls, emails, or messages. Avoid clicking links in these communications, even if they appear legitimate. If you do plan to open a link, verify its destination by hovering over it on a desktop or long-pressing on a mobile device.
• Verify sources of data requests. Never share OTPs with anyone, regardless of who they claim to be, even if they say they are a bank employee.
• Analyze content for fakery. To spot deepfakes, look for unnatural lip movements or shadows in videos. You should also be suspicious of any videos featuring celebrities who are offering overly generous giveaways.
• Limit your digital footprint. Do not post photos of documents or sensitive work-related information, such as department names or your boss’s name, on social media.

securelist.com/new-phishing-an…

If your guitar needs more distortion, lower audio fidelity, or another musical effect, you can always shell out some money to get a dedicated piece of hardware. For a less conventional route, though, you could follow [Brek Martin]’s example and reprogram a handheld game console as a digital effects processor.

[Brek] started with a Sony PSP 3000 handheld, with which he had some prior programming experience, having previously written a GPS maps program and an audio recorder for it. The PSP has a microphone input as part of the connector for a headset and remote, though [Brek] found that a Sony remote’s PCB had to be plugged in before the PSP would recognize the microphone. To make things a bit easier to work with, he made a circuit board that connected the remote’s hardware to a microphone jack and an output plug.

[Brek] implemented three effects: a flanger, bitcrusher, and crossover distortion. Crossover distortion distorts the signal as it crosses zero, the bitcrusher reduces sample rate to make the signal choppier, and the flanger mixes the current signal with its variably-delayed copy. [Brek] would have liked to implement more effects, but the program’s lag would have made it impractical. He notes that the program could run more quickly if there were a way to reduce the sample chunk size from 1024 samples, but if there is a way to do so, he has yet to find it.

If you’d like a more dedicated digital audio processor, you can also build one, perhaps using some techniques to reduce lag.

youtube.com/embed/MlPtfeSyyak?…

hackaday.com/2025/08/13/runnin…

Un aggiornamento critico di sicurezza è stato rilasciato da Google Chrome, il quale risolve sei vulnerabilità di sicurezza che potrebbero essere sfruttate per eseguire codice arbitrario sui sistemi coinvolti. È stato quindi distribuito un aggiornamento di sicurezza in emergenza.

L’aggiornamento alla versione stabile 139.0.7258.127/.128 per Windows e Mac e 139.0.7258.127 per Linux contiene patch per diverse falle di sicurezza di elevata gravità che pongono rischi significativi per i dati degli utenti e l’integrità del sistema.

L’aggiornamento di sicurezza prende di mira tre vulnerabilità di elevata gravità che potrebbero causare l’esecuzione di codice arbitrario. Il CVE-2025-8879 rappresenta una vulnerabilità di heap buffer overflow nella libreria libaom, che gestisce le operazioni di codifica e decodifica video.

Questo tipo di vulnerabilità consente agli aggressori di scrivere dati oltre i limiti di memoria allocati, sovrascrivendo potenzialmente informazioni critiche del sistema. Invece il CVE-2025-8880 risolve una condizione di competizione nel motore JavaScript V8 di Google, segnalata dal ricercatore di sicurezza Seunghyun Lee.

Le condizioni di competizione si verificano quando più processi tentano di accedere simultaneamente a risorse condivise, creando un comportamento imprevedibile che gli aggressori possono sfruttare.

La terza falla di gravità elevata, CVE-2025-8901, riguarda una vulnerabilità di scrittura fuori dai limiti in ANGLE (Almost Native Graphics Layer Engine), che traduce le chiamate API OpenGL ES in API supportate dall’hardware.

Il team di sicurezza di Chrome ha utilizzato diverse metodologie di rilevamento avanzate per identificare queste vulnerabilità, tra cui AddressSanitizer per rilevare bug di danneggiamento della memoria, MemorySanitizer per letture di memoria non inizializzate e UndefinedBehaviorSanitizer per rilevare comportamenti indefiniti nel codice C/C++.

L’aggiornamento incorpora anche i meccanismi di integrità del flusso di controllo e i risultati dei framework di test libFuzzer e AFL (American Fuzzy Lop).

L'articolo Aggiornamento Critico per Google Chrome: Patch per varie Vulnerabilità proviene da il blog della sicurezza informatica.

Agosto Patch Tuesday: Microsoft rilascia aggiornamenti sicurezza che fixano 107 vulnerabilità nei prodotti del suo ecosistema. L’aggiornamento include correzioni per 90 vulnerabilità, classificate come segue: 13 sono critiche, 76 sono importanti, una è moderata e una è bassa.

In particolare, nessuna di queste vulnerabilità è elencata come vulnerabilità zero-day attivamente sfruttata, il che offre un certo sollievo agli amministratori IT. Le vulnerabilità rientrano in diverse categorie, tra cui Esecuzione di codice remoto (RCE), Elevazione dei privilegi (EoP), Divulgazione di informazioni, Spoofing, Denial of Service (DoS) e Manomissione.

Il 12 agosto 2025, Microsoft ha rilasciato i suoi aggiornamenti di sicurezza mensili Patch Tuesday, risolvendo un numero significativo di vulnerabilità nel suo ecosistema di prodotti.

Le vulnerabilità di esecuzione di codice remoto dominano il Patch Tuesday di questo mese, con 36 vulnerabilità corrette, 10 delle quali classificate come Critiche. Queste falle potrebbero consentire agli aggressori di eseguire codice arbitrario, compromettendo potenzialmente interi sistemi.

Le principali vulnerabilità di esecuzione di codice remoto includono:

• DirectX Graphics Kernel (CVE-2025-50176 , critico) : un difetto di type confusion nel Graphics Kernel consente l’esecuzione di codice locale da parte di un aggressore autorizzato.
• Microsoft Office ( CVE-2025-53731 , CVE-2025-53740 , Critico) : molteplici vulnerabilità di tipo use-after-free in Microsoft Office consentono ad aggressori non autorizzati di eseguire codice localmente.
• Componente grafico di Windows ( CVE-2025-50165 , critico) : un dereferenziamento di puntatore non attendibile nel componente grafico di Microsoft consente ad aggressori non autorizzati di eseguire codice su una rete.
• Microsoft Word ( CVE-2025-53733 , CVE-2025-53784 , Critico) : difetti in Microsoft Word, tra cui la conversione errata del tipo numerico e problemi di tipo use-after-free, consentono l’esecuzione di codice locale.
• Windows Hyper-V (CVE-2025-48807, Critico) : una restrizione impropria dei canali di comunicazione in Hyper-V consente l’esecuzione di codice locale.
• Microsoft Message Queuing (MSMQ) (CVE-2025-50177, Critico; CVE-2025-53143, CVE-2025-53144, CVE-2025-53145, Importante) : diverse vulnerabilità, tra cui difetti di tipo use-after-free e di confusione dei tipi, interessano MSMQ, consentendo l’esecuzione di codice basato sulla rete.
• GDI+ ( CVE-2025-53766 , Critico) : un heap buffer overflow in Windows GDI+ consente l’esecuzione di codice basato sulla rete.
• Servizio Routing e Accesso Remoto di Windows (RRAS) (CVE-2025-49757, CVE-2025-50160, CVE-2025-50162, CVE-2025-50163, CVE-2025-50164, CVE-2025-53720, Importante) : heap buffer overflow basati su heap in RRAS consentono l’esecuzione di codice basato sulla rete.
• Microsoft Excel (CVE-2025-53741, CVE-2025-53759, CVE-2025-53737, CVE-2025-53739, Importante) : heap buffer overflow e i problemi di tipo use-after-free in Excel consentono l’esecuzione di codice locale.

L'articolo Verso un ferragosto col botto! 36 RCE per il Microsoft Patch Tuesday di Agosto proviene da il blog della sicurezza informatica.

Nell’ambito degli aggiornamenti di sicurezza di agosto 2025 del tipo Patch Tuesday, è stata aggiornata una vulnerabilità critica di Remote Code Execution (RCE) nel software di collaborazione Teams prodotto da Microsoft.

La falla critica, monitorata come CVE-2025-53783, potrebbe consentire a un aggressore non autorizzato di leggere, scrivere e persino eliminare messaggi e dati degli utenti eseguendo codice su una rete. Un aggressore potrebbe sfruttare questa falla per sovrascrivere dati critici o eseguire codice dannoso nel contesto dell’applicazione Teams.

Microsoft sostiene che un exploit funzionante per questo bug potrebbe comportare conseguenze significative per la segretezza, l’integrità e l’accessibilità dei dati di un utente, consentendo all’attaccante di acquisire i diritti di lettura, scrittura e cancellazione dei dati.

La vulnerabilità è un heap buffer overflow, un tipo di debolezza di corruzione della memoria in cui un’applicazione può essere costretta a memorizzare dati oltre lo spazio di memoria allocato.

L’azienda sottolinea che lo sfruttamento di questa falla presenta un elevato grado di complessità (AC: H), che richiede all’aggressore di raccogliere informazioni specifiche sull’ambiente di destinazione.

Inoltre, per un attacco riuscito è necessaria l’interazione dell’utente, il che significa che il bersaglio dovrebbe probabilmente cliccare su un collegamento dannoso o aprire un file creato appositamente.

All’atto della dichiarazione, la falla di sicurezza non era stata resa pubblica né sfruttata in modo attivo. Secondo la stima di Microsoft sulla possibilità di sfruttamento, quest’ultimo è considerato “Meno plausibile”.

L’azienda ha già rilasciato una correzione ufficiale e invita utenti e amministratori ad applicare gli ultimi aggiornamenti di sicurezza per mitigare il rischio.

Questa vulnerabilità di Teams è stata una delle 107 falle risolte nella versione Patch Tuesday di questo mese , che includeva anche una correzione per una vulnerabilità zero-day divulgata pubblicamente in Windows Kerberos.

L'articolo Vulnerabilità RCE critica in Microsoft Teams: aggiornamento urgente necessario proviene da il blog della sicurezza informatica.

29.000 server Exchange sono vulnerabili al CVE-2025-53786, che consente agli aggressori di muoversi all’interno degli ambienti cloud Microsoft, portando potenzialmente alla compromissione completa del dominio.

Il CVE-2025-53786 consente agli aggressori che hanno già ottenuto l’accesso amministrativo ai server Exchange locali di aumentare i privilegi nell’ambiente cloud connesso di un’organizzazione falsificando o manipolando token attendibili e richieste API. Questo attacco non lascia praticamente alcuna traccia, rendendolo difficile da rilevare.

La vulnerabilità riguarda Exchange Server 2016, Exchange Server 2019 e Microsoft Exchange Server Subscription Edition nelle configurazioni ibride.

La vulnerabilità è correlata alle modifiche apportate nell’aprile 2025, quando Microsoft ha rilasciato linee guida e un hotfix per Exchange nell’ambito della Secure Future Initiative. In quell’occasione, l’azienda è passata a una nuova architettura con un’applicazione ibrida separata che ha sostituito l’identità condivisa non sicura utilizzata in precedenza dai server Exchange locali ed Exchange Online.

In seguito, i ricercatori hanno scoperto che questo schema lasciava aperta la possibilità di attacchi pericolosi. Alla conferenza Black Hat , Outsider Security dimostrò un simile attacco post-exploit.

“Inizialmente non l’ho considerata una vulnerabilità perché il protocollo utilizzato per questi attacchi era stato progettato tenendo conto delle caratteristiche discusse nel rapporto e mancava semplicemente di importanti controlli di sicurezza”, afferma Dirk-Jan Mollema di Outsider Security.

Sebbene gli esperti Microsoft non abbiano trovato alcun segno di sfruttamento del problema in attacchi reali, la vulnerabilità è stata contrassegnata come “Sfruttamento più probabile“, il che significa che l’azienda prevede che gli exploit appariranno presto.

Come avvertono gli analisti di Shadowserver , ci sono 29.098 server Exchange sulla rete che non hanno ricevuto le patch. Di conseguenza, sono stati trovati più di 7.200 indirizzi IP negli Stati Uniti, oltre 6.700 in Germania e più di 2.500 in Russia.

Il giorno dopo la divulgazione del problema, la Cybersecurity and Infrastructure Security Agency (CISA) degli Stati Uniti ha emesso una direttiva di emergenza ordinando a tutte le agenzie federali (inclusi i dipartimenti del Tesoro e dell’Energia) di affrontare urgentemente la minaccia.

In un bollettino di sicurezza separato , i rappresentanti della CISA hanno sottolineato che la mancata correzione di CVE-2025-53786 potrebbe portare alla “completa compromissione di un cloud ibrido e di un dominio on-premise”.

Come spiegato da Mollema, gli utenti di Microsoft Exchange che hanno già installato l’hotfix menzionato e seguito le raccomandazioni di aprile dell’azienda dovrebbero essere protetti dal nuovo problema. Tuttavia, coloro che non hanno ancora implementato le misure di protezione sono ancora a rischio e dovrebbero installare l’hotfix e seguire anche le istruzioni di Microsoft ( 1 , 2 ) sull’implementazione di un’app ibrida di Exchange separata.

“In questo caso, non è sufficiente applicare semplicemente una patch; sono necessari ulteriori passaggi manuali per migrare a un servizio principale dedicato”, ha spiegato Mollema. “L’urgenza dal punto di vista della sicurezza è determinata dall’importanza per gli amministratori di isolare le risorse di Exchange on-premise da quelle ospitate nel cloud. Nella vecchia configurazione, il sistema Exchange ibrido aveva pieno accesso a tutte le risorse di Exchange Online e SharePoint”.

Lo specialista ha inoltre sottolineato ancora una volta che lo sfruttamento di CVE-2025-53786 avviene dopo la compromissione, ovvero l’aggressore deve compromettere in anticipo l’ambiente locale o i server Exchange e disporre dei privilegi di amministratore.

L'articolo 29.000 server Exchange a rischio. L’exploit per il CVE-2025-53786 è sotto sfruttamento proviene da il blog della sicurezza informatica.

If you learned to type anytime in the mid-part of the 20th century, you probably either had or wanted an IBM Selectric. These were workhorses and changed typing by moving from typebars to a replaceable wheel. They were expensive, though worth it since many of them still work (including mine). But few of us could afford the $1,000 or more that these machines cost back in the day, especially when you consider that $1,000 was enough to buy a nice car for most of that time. [Tech Tangents] looks at something different: a clone Selectric from the sewing machine and printer company Juki.

The typewriter was the brainchild of [Thomas O’Reilly]. He sold typewriters and knew that a $500 compatible machine would sell. He took the prototype to Juki, which was manufacturing typewriters for Olivetti at the time.

Although other typewriters used typeballs, none of them were actual clones and didn’t take IBM typeballs. Juki even made their own typeballs. You’d think IBM might have been upset, but they were already moving towards the “wheelwriter,” which used a daisywheel element. Juki would later make a Xerox-compatible daisywheel printer, again at a fraction of the cost of the original.

Even the Juki manual was essentially a rip-off of the IBM Selectric manual. Sincerest form of flattery, indeed. It did appear that the ribbon was not a standard IBM cartridge. That makes them hard to find compared to Selectric ribbons, but they are nice since they have correction tape built in. The video mentions that you can find them on eBay and similar sites.

There were a few other cost savings. First, the Juki was narrower than most Selectrics. It also had a plastic case, although if you have ever had to carry a Selectric up a few flights of stairs, you might consider that a feature.

The Juki in the video doesn’t quite work, but it is a quirky machine with an odd history. Today, you can print your own typeballs. We wonder if these would be amenable to computer control like the Selectrics?

youtube.com/embed/EQMOWNUJq7U?…

hackaday.com/2025/08/12/thats-…

[Menadue] had a vintage Compucorp 326 calculator with an aging problem. Specifically, the flex cable that connects the button pad had turned corroded over time. However, thanks to the modern PCB industrial complex, replacing the obscure part was relatively straightforward!

The basic idea was simple enough: measure the original flex cable, and recreate it with the flat-flex PCB options available at many modern PCB houses that cater to small orders and hobbyists. [Menadue] had some headaches, having slightly misjudged the pitch of the individual edge-connector contacts. However, he figured that if lined up just right, it was close enough to still work. With the new flex installed, the calculator sprung into life…only several keys weren’t working. Making a new version with the correct pitch made all the difference, however, and the calculator was restored to full functionality.

It goes to show that as long as your design skills are up to scratch, you can replace damaged flex-cables in old hardware with brand new replacements. There’s a ton of other cool stuff you can do with flex PCBs, too.

youtube.com/embed/QmJaNzWDqbY?…

hackaday.com/2025/08/12/creati…

Fluid-Implicit-Particle or FLIP is a method for simulating particle interactions in fluid dynamics, commonly used in visual effects for its speed. [Nick] adapted this technique into an impressive FLIP business card.

The first thing you’ll notice about this card is its 441 LEDs arranged in a 21×21 matrix. These LEDs are controlled by an Raspberry Pi RP2350, which interfaces with a LIS2DH12TR accelerometer to detect card movement and a small 32Mb memory chip. The centerpiece is a fluid simulation where tilting the card makes the LEDs flow like water in a container. Written in Rust, the firmware implements a FLIP simulation, treating the LEDs as particles in a virtual fluid for a natural, flowing effect.

This eye-catching business card uses clever tricks to stay slim. The PCB is just 0.6mm thick—compared to the standard 1.6mm—and the 3.6mm-thick 3.7V battery sits in a cutout to distribute its width across both sides of the board. The USB-C connection for charging and programming uses clever PCB cuts, allowing the plug to slide into place as if in a dedicated connector.

Inspired by a fluid simulation pendant we previously covered, this board is just as eye-catching. Thanks to [Nick] for sharing the design files for this unique business card. Check out other fluid dynamics projects we’ve featured in the past.

hackaday.com/2025/08/12/leds-t…